NAME

ddb - kernel debugger

DESCRIPTION

The ddb debugger provides a means for debugging the kernel, and analysing
the kernel after a system crash ("panic"), with a gdb(1)-like syntax.
ddb is only available if the kernel was configured with the DDB option.
ddb will be invoked upon a kernel panic when the sysctl(8) name ddb.panic
is set to 1. ddb may be invoked from the console by the key sequence
Ctl-Alt-Esc or by sending a BREAK if using a serial console, when the
sysctl(8) name ddb.console is set to 1.
ddb prompts for commands on the console with:
ddb>
The general syntax of a ddb command is:
command [/modifiers] [address][,count]
To save typing, ddb makes use of a context inferred from previous com-
mands. In this context, the current location is called dot. The examine,
search, and write commands update dot to be that of the last address ex-
amined or the last location modified, and have intuitive effects on next
and prev. All the other commands do not change dot, and set next to be
the same. (See VARIABLES.)
An expression can be used in place of address (see EXPRESSIONS). Omitting
address in a command uses the last value of dot. A missing count is taken
to be 1 for printing commands or Infinity for stack traces. Entering a
blank line causes the last command to be repeated using next in place of
address, a count of 1, and no modifiers.
ddb has a feature like more(1) for the output. If the number of lines
output in response to one command exceeds the number set in the $lines
variable, it displays the message '--db_more--' and waits for a response.
The valid responses are:
<space>
One more page.
<return>
One more line.
q Abort the current command, and return to the command input
mode.
The following command line editing keys are provided:
^b back one character
^f forward one character
^a beginning of line
^e end of line
^w erase word back
^h | <del>
erase previous character
^d erase next character
^k delete to end of line
^u delete line
^p previous in command history
^n next in command history
^r redraw line

COMMANDS

The following commands may be typed at the 'ddb>' prompt. Some commands
consist of more than one word, and if only the first word or words are
entered, the possible alternatives to complete the command are displayed
and no other action is performed.
help
List the available commands.
[e]x[amine] [/bhlaAxzodurcsmiI] [addr][,count]
Display the contents at address addr according to the formats in the
modifier. Multiple modifier formats display multiple locations. If
no format is specified, the last formats specified for this command
are used.
The format characters are:
/b look at by bytes (8 bits)
/h look at by half words (16 bits)
/l look at by long words (32 bits) (default)
/a print the location being displayed
/A print the location with a line number if possible
/x display in unsigned hex
/z display in signed hex
/o display in unsigned octal
/d display in signed decimal
/u display in unsigned decimal
/r display in current radix, signed
/c display low 8 bits as a character. Non-printing characters are
displayed as an octal escape code (e.g., '\000').
/s display the null-terminated string at the location. Non-
printing characters are displayed as octal escapes.
/m display in unsigned hex with character dump at the end of each
line. The location is also displayed in hex at the beginning
of each line.
/i display as an instruction
/I display as an alternate format instruction depending on the
machine:
vax Don't assume that each external label is a procedure
entry mask.
i386 Don't round to the next long word boundary.
mips Print register contents.
The value of next is set to the addr plus the size of the data exam-
ined.
xf Examine forward. Execute an examine command with the last specified
parameters to it except that the next address displayed by it is
used as the start address.
xb Examine backward. Execute an examine command with the last specified
parameters to it except that the last start address subtracted by
the size displayed by it is used as the start address.
print [/axzodurc] [addr [addr ...]]
Print each addr according to the modifier character. The valid
modifiers are a subset of those from the examine command, and act as
described there. If no modifier is specified, the last one specified
in a previous use of print is used. The addr argument can be a
string, and it is printed as a literal.
For example,
print/x "eax = " $eax "\necx = " $ecx "\n"
will print something like this:
eax = xxxxxx
ecx = yyyyyy
w[rite] [/bhl] [addr] expr [expr ...]
Write the value of each expr expression at succeeding locations
start at addr. The write unit size can be specified using one of the
modifiers:
/b byte (8 bits)
/h half word (16 bits)
/l long word (32 bits) (default)
The value of next is set to addr plus the size of values written.
Warning: since there is no delimiter between expressions, the com-
mand may not parse as you expect. It is best to enclose each expres-
sion in parentheses.
set $name [=] expr
Set the named variable or register with the value of expr. Valid
variable names are described below.
boothow
Reboot the machine depending on how:
boot sync Sync disks and reboot.
boot crash Dump core and reboot.
boot dump Sync disks, dump core and reboot.
boot halt Just halt.
boot reboot Just reboot.
boot poweroff Power down the machine whenever possible; if it
fails, just halt.
break [/u] [addr][,count]
Set a break point at addr. If count is supplied, ddb allows the
breakpoint to be silently hit (count - 1) times before stopping at
the break point.
If the break point is successfully set, a break point number is
displayed, in the form #number. This can later be used in deleting
the break point or for adding conditions to it.
When the /u modifier is specified, addr is taken as a user space ad-
dress. Without it, the address is considered as a kernel space ad-
dress. Wrong space addresses are rejected with an error message. The
/u modifier can be used only if it is supported by machine dependent
routines.
Warning: if a user text is shadowed by a normal user space debugger,
user space break points may not work correctly. Setting a breakpoint
at the low-level code paths may also cause strange behavior.
d[elete] [addr | #number]
Delete the break point set with the break command.
s[tep] [/p] [,count]
Single step count times. If the /p modifier is specified, print each
instruction at each step. Otherwise, only print the last instruc-
tion.
Warning: depending on machine type, it may not be possible to
single-step through some low-level code paths or user space code. On
machines with software-emulated single-stepping (e.g., pmax), step-
ping through code executed by interrupt handlers will probably do
the wrong thing.
callname(expr [,expr ...] )
Call the function named by name with the argument(s) listed in
parentheses. Parentheses may be omitted if the function takes no ar-
guments. The number of arguments is currently limited to 10.
c[ontinue] [/c]
Continue execution until a breakpoint or watchpoint. If the /c
modifier is given, instructions are counted while executing. Some
machines (e.g., pmax) also count loads and stores.
Warning: when counting with /c, ddb is really silently single-
stepping. This means that single-stepping on low-level code may
cause strange behavior.
watchaddr [,size]
Set a watchpoint for the region starting at addr. Execution stops
and control returns to ddb when an attempt is made to modify a
watched region. The size argument defaults to 4.
If you specify a wrong space address, the request is rejected with
an error message.
Warning: attempts to watch wired kernel memory may cause an unrecov-
erable error on some systems (e.g., i386). Watchpoints on user ad-
dresses work best.
dwatchaddr
Delete the watchpoint at address addr that was previously set with a
watch command.
hangman [/s[0-9]]
This is a tiny and handy tool for random kernel hangs analysis, of
which its depth is controlled by the optional argument of the de-
fault value of five. It uses some sophisticated heuristics to spot
the global symbol that caused the hang. Since the discovering algo-
rithm is a probabilistic one, you may spend substantial time to fig-
ure the exact symbol name. This smart thing requires a little of
your attention, the input it accepts is mostly of the same format as
that of the famous hangman(6) game, to which it, apparently, is ob-
liged by the name. Hint: the nm(1) utility might help.
until [/p]
Stop at the next "call" or "return" instruction. If the /p modifier
is specified, ddb prints the call nesting depth and the cumulative
instruction count at each call or return. Otherwise, it stays silent
until the matching return is hit.
match [/p]
Stop at the next matching return instruction. If the /p modifier is
specified, ddb prints the call nesting depth and the cumulative in-
struction count at each call or return. Otherwise, it remains mostly
quiet.
next [/p]
The next command is a synonym for match.
trace [/u] [frameaddr][,count]
Show the stack trace. The /u modifier shows the stack trace of user
space; if omitted, the kernel stack is traced instead. The count ar-
gument is the limit on the number of frames to be followed. If count
is omitted, all frames are printed.
Warning: user space stack trace is valid only if the machine depen-
dent code supports it.
search [/bhl] [addr] value [mask] [,count]
Search memory for a value beginning at addr. This command might fail
in interesting ways if it doesn't find the searched-for value. This
is because ddb doesn't always recover from touching bad memory. The
optional count argument limits the search. The modifiers are the
same as those of the write command.
The next address is set to the address where value is found, or just
after where the search area finishes.
showwhat
Displays various things, depending on what:
show breaks
Prints a list of all breakpoints that have been set with the
break command.
show extents
Prints a detailed list of all extents.
show malloc [addr]
Prints malloc debugging information if available. If an op-
tional address is specified, only information about that ad-
dress is printed.
show map [/f] addr
Prints the vm_map at addr. If the /f modifier is specified the
complete map is printed.
show object [/f] addr
Prints the vm_object at addr. If the /f modifier is specified
the complete object is printed.
show page [/f] addr
Prints the vm_page at addr. If the /f modifier is specified
the complete page is printed.
show pool [/clp] addr
Prints the pool at addr. Valid modifiers:
/c Print the cachelist and its statistics for this pool.
/l Print the log entries for this pool.
/p Print the pagelist for this pool.
show proc [addr]
Prints the struct proc at addr. If an optional address is not
specified curproc is assumed.
show registers [/u]
Display the register set. If the /u modifier is specified, it
displays user registers (or the currently saved registers) in-
stead of the kernel's. Note: The /u modifier is not supported
on every machine, in which case incorrect information may be
displayed.
show uvmexp
Displays a selection of uvm counters and statistics.
show watches
Displays all watchpoints set with the watch command.
show all procs [/anw]
Display information on all processes.
/n (Default) Show process information in a ps(1)-like for-
mat. Information printed includes process ID, parent pro-
cess ID, process group, UID, process status, process
flags, process command name, and process wait channel
message.
/a Shows the kernel virtual addresses of each process' proc
structure, u-area, and vmspace structure. The vmspace ad-
dress is also the address of the process' vm_map struc-
ture and can be used in the show map command.
/w Shows each process' PID, command, system call emulation,
wait channel address, and wait channel message.
show all callout
Display the contents of the callout table.
callout
A synonym for the show all callout command.
ps [/anw]
A synonym for show all procs.

VARIABLES

ddb denotes registers and variables by $name. Register names can be found
with the show registers command.
Some variable names are suffixed with numbers, and some may have a modif-
ier following a colon immediately after the variable name. For example,
register variables can have the ':u' modifier to indicate a user register
(e.g., '$eax:u').
Built-in debugger variables currently supported are:
$radix
Input and output radix.
$maxoff
Addresses are printed as symbol+offset unless offset is
greater than $maxoff.
$maxwidth
The width of the displayed lines.
$lines
The number of lines to page. This is used by the "more"
feature.
$tabstops
Tab stop width.
$workxx
Work variables. The suffix xx is a number from 0 to 31.

EXPRESSIONS

Almost all expression operators in C are supported except for '~', '^',
and unary '&'. Special rules for expressions in ddb are:
identifier
The name of a symbol. It is translated to the address (or
value) of the symbol. '.' and ':' can be used in the identif-
ier. The following can be accepted as an identifier, if sup-
ported by an object format dependent routine:
[filename:]func [:linenumber]
[filename:] variablefilename [:linenumber]
The symbol may be prefixed with 'symboltablename::' (e.g.,
'emulator::mach_msg_trap') to specify other than kernel sym-
bols.
number
The radix is determined by the first two letters: '0x': hex,
'0o': octal, '0t': decimal, otherwise, the value of $radix is
used.
. dot: the current address.
+ next: the next address.
.. The address of the start of the last line examined. Unlike dot
or next, this is only changed by the examine or write command.
' The last address explicitly specified.
$variable
The value of a register or variable. The name may be followed
by a ':' and modifiers as described above with identifier.
expr # expr
A binary operator which rounds up the left hand side to the
next multiple of right hand side.
*expr
Indirection. It may be followed by a ':' and modifiers as
described above.

SEE ALSO

HISTORY

This kernel facility first appeared in MACH 2 operating system developed
by CMU. Hangman (which stands for "hangs maniacal analyzer") first ap-
peared in OpenBSD 1.2.
MirOS BSD #10-current November 30, 1993 6